[SOLVED] Wireguard: cannot access another machine or the Internet (docker installed)

Hello

I’m running

DietPi v8.18.2 on a RPi 3 Model B (aarch64)
Linux development 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr  3 17:24:16 BST 2023 aarch64 GNU/Linux

and have installed unbound and adguard home on 192.168.1.10 both working ok. I have installed as well wireguard.
With the client conf file installed in my android mobile phone and wireguard app I can connect to my home lan and access 192.168.1.10
However, I cannot access another DietPi instance on 192.168.1.20 nor the Internet (via the VPN, of course)

dietpi@development:~$ sudo cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.9.0.1/24
PrivateKey =
ListenPort = 51820

PostUp = sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(ip r l 0/0 | mawk '{print $5;exit}').forwarding=1
PostUp = sysctl net.ipv6.conf.$(ip r l 0/0 | mawk '{print $5;exit}').accept_ra=2
PostUp = sysctl net.ipv6.conf.%i.forwarding=1 net.ipv6.conf.$(ip r l 0/0 | mawk '{print $5;exit}').forwarding=1
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -o $(ip r l 0/0 | mawk '{print $5;exit}') -j MASQUERADE
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $(ip r l 0/0 | mawk '{print $5;exit}') -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -s 10.9.0.0/24 -o $(ip r l 0/0 | mawk '{print $5;exit}') -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $(ip r l 0/0 | mawk '{print $5;exit}') -j MASQUERADE

# Client 1
[Peer]
PublicKey =
AllowedIPs = 10.9.0.2/32

# Client 2
#[Peer]
#PublicKey = XXXX
#AllowedIPs = 10.9.0.3/32
dietpi@development:~$ sudo cat /etc/wireguard/wg0-client.conf
[Interface]
Address = 10.9.0.2/24
PrivateKey =

# Comment the following to preserve the clients default DNS server, or force a desired one.
DNS = 1.1.1.1

# Kill switch: Uncomment the following, if the client should stop any network traffic, when disconnected from the VPN server
# NB: This requires "iptables" to be installed, thus will not work on most mobile phones.
#PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
#PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

[Peer]
PublicKey =
# Tunnel all network traffic through the VPN:
#       AllowedIPs = 0.0.0.0/0, ::/0
# Tunnel access to server-side local network only:
#       AllowedIPs = 192.168.68.0/24
# Tunnel access to VPN server only:
#       AllowedIPs = 192.168.68.130/32
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = myserver.com:51820

# Uncomment the following, if you're behind a NAT and want the connection to be kept alive.
#PersistentKeepalive = 25

Any tip on how to move on is much appreciated in advance.

Regards,

Short question, did you have Docker installed?

Totally forgot, sorry. Yes. Portainer installed via dietpi-software in order to experiment with container software.

OK, in this case, Docker is blocking the access. Explanation is given within Docker docs. Packet filtering and firewalls | Docker Documentation

Solution would be

iptables -I DOCKER-USER -i eth0 -o wg0 -j ACCEPT

Afterwards, you would need to install iptables-persistent to make your changes persistent.

Thank you!

By the way, do you know where iptables rules were previously stored? As now, they are in

/etc/iptables/rules.v4
/etc/iptables/rules.v6

which did not exist before installing iptables-persistent.

If I am not mistaken, iptables rules are created dynamically by each application. Therefore, you did not find any configuration files before setting up iptables-persistent.

What I never tried, but might be working as well, to include iptables rules directly into wg0.conf. Something to test :slight_smile:

EDIT: Ahh this requires more configurations, forget about that idea. Better to stick with iptables-persistent`.